1. Field of the Invention
The present invention relates to computer systems, software architectures and programs, and more particularly to a method, system and computer program product for determining standard Java programs.
2. Description of the Related Art
Java is a robust, portable object-oriented programming language developed by Sun Microsystems, Inc., and which is gaining wide acceptance for writing code for the Internet and World Wide Web (hereinafter, “Web”). Java attains its portability through use of a specially-designed virtual machine (“VM”). This virtual machine is also referred to as a “Java Virtual Machine”, or “JVM”. The virtual machine isolates the details of the underlying hardware from the compiler used to compile the Java programming instructions. The compiled code, referred to as Java “byte code”, then runs on top of a JVM, where the JVM is tailored to a specific operating environment.
While Java presents significant advantages by permitting software to be executed on systems of many different architectures, there are few techniques or tools to determine if a particular Java application can be trusted to not contain any errors, viruses or non-standard behavior. Typical solutions require evaluation of source code, in addition to receiving a signed transfer. Unfortunately, this is often not possible, as many distributions only provide the compiled code, and inferring information from the compiled code of a Java application is extremely difficult.
In object-oriented programming environments such as Java, many of the code distributions are generally written to a specification. Such specifications include definitions for both classes and interfaces. Therefore, a standard implementation of the classes and interfaces would generally be considered more trustworthy than one that is not. For example, standard JVMs from large companies are usually more trustworthy than JVM's distributed by smaller company, which may or may not be standard implementations of the JVM. However, it is difficult to determine from the byte code alone whether a JVM distribution is standard or non-standard.
Since users don't know whether the code they download is standard or non-standard, they are unable to assess the risk the code presents to their computer security. For example, hackers can easily break into a software vendor's system and replace the vendor's standard Java compiled code with their own non-standard version. Typical solutions to this problem require that the code be digitally signed by the software vendor and verified by the customer. However, this is a complicated and expensive process. For example, a common process requires a Public Key Infrastructure and a trusted third party to vouch for the certificate accompanying the code. As a consequence, people who download Java code from various third-party Web sites commonly are forced to implicitly trust the source that gave them the code.
It can be seen that a solution is needed that gives users some assurance that unknown Java byte code is safe for execution on their computer system by permitting the user to independently determine the safety of Java code distributed over the Internet. Information about whether the program's compiled code is a standard or non-standard implementation of the application would be valuable to making such a determination.